Category: NIST

NIST Publishes New Guide: “DNS-Based Email Security” about DANE and DNSSEC

NIST Report on DANE for email

How can we make email more secure and trusted? How can we encrypt all email between mail servers? And how can we use DANE and DNSSEC to provide that added layer of security?

Today the U.S. National Cybersecurity Center of Excellence (NCCoE)  and the National Institute of Standards and Technology released a “draft practice guide” exploring those exact questions. Titled “Domain Name Systems-Based Electronic Mail Security (NIST Special Publication 1800-6)” the document offers guidance to enterprises and others into “how commercially available technologies can meet an organization’s needs to improve email security and defend against email-based attacks such as phishing and man-in-the-middle types of attacks.”  Specifically it gets into how DNSSEC and DANE can be used to authenticate server addresses and the Transport Layer Security (TLS) certificates used for confidentiality.

As NIST states on their web page, the goal of the project around this publication is:

  • Encrypt emails between mail servers
  • Allow individual email users to digitally sign and/or encrypt email messages
  • Allow email users to identify valid email senders as well as send digitally signed messages and validate signatures of received messages

You can download the guide or sections of it from that web page.

NIST is seeking public comments on this new guide from today through December 19, 2016.

It’s great to see NIST publishing this document and we hope everyone reading this post will take a look and spread the word.

And if you are interested in getting started with DNSSEC and DANE, please visit our Start Here page to find resources to help.

NIST Releases New Version of Secure DNS Deployment Guide (SP-800-81-2, Including DNSSEC)

NIST SP-800-81-2 DocumentLooking for a solid document about how to securely deploy DNS, including how to configure DNSSEC?  We’ve written before about NIST’s excellent Secure DNS Deployment Guide and how it is very applicable to enterprises and organizations of all types, not just those of the US government.  This morning NIST’s Scott Rose announced that a new version, SP-800-81-2, has been published at:

http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-81-2.pdf

The formal NIST announcement indicates that this new revision…

…adds two new sections – one to provide guidance on secure set up of recursive DNS service and the other for securely configuring validating resolvers. It also incorporates knowledge gained from DNSSEC deployment experience to provide some updated guidance for DNS Administrators on cryptographic algorithm variables, configuration and operations.

In his email to the dnssec-deployment mailing list, Scott noted:

This revision includes new sections with recommendations for the enterprise level admin in setting up recursive servers, including DNSSEC validation. Please send any comments to scottr at nist.gov and/or mouli at nist.gov, since I’m not sure if the old comment address is still working.

Note that this revision was in the pipe when NIST re-opened the comment period for the NIST SP 800-90 series, so any cryptographic recommendations are pre-discovery any may be subject to change if any new information comes to light.

It’s excellent to see this revision and we definitely appreciate all the work that Scott and the others do at NIST that helps accelerate the deployment of DNSSEC!

NOTE: Scott let me know that NIST is definitely seeking comments on this document.  Do you have suggestions for how it can be improved?  Is there additional information they could add?  Please contact him at the email addresses listed in his message.  He is asking for comments within the next 30 days.